I have my DNS servers logging to Graylog. One use case I’d like to use Graylog for is to detect someone abusing the DNS servers. Lets say a broken client keeps banging away at the DNS or even DHCP servers. I would use the message count alert condition, but how would I alert on an individual client creating these messages? I guess the same would be true for switchport link flapping. Message count alert condition and some how identifying the individual client.